Practice CRISC Risk Response and Mitigation questions with full explanations on every answer.
Start practicing
Risk Response and Mitigation — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?
2A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?
3An organization decides to outsource its data center operations to a third party. This is an example of which risk response?
4During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?
5A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?
6Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?
7Which THREE of the following are key components of an effective risk treatment plan?
8Refer to the exhibit. A risk practitioner is reviewing the access control list for a critical server. The ACL is applied inbound on the interface connecting to the internet. Which of the following is the MOST significant risk?
9You are a risk practitioner at a financial institution that is migrating its core banking system to a cloud provider. The migration plan includes a phased approach, with the first phase moving non-critical applications. However, during the second phase (moving customer-facing applications), the cloud provider experiences a major outage that lasts 6 hours. The outage was caused by a misconfiguration in the provider's network. The institution had conducted a risk assessment and identified cloud provider downtime as a risk, but the treatment plan only included a service level agreement (SLA) with financial penalties. The SLA does not cover the reputational damage and loss of customer trust. The risk register shows that the residual risk level was marked as 'low' before the incident. After the incident, senior management is demanding a review. Which of the following is the MOST appropriate action for the risk practitioner to take?
10A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)
11Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?
12A global manufacturing company is implementing a new ERP system across multiple regions. The project manager has identified a risk that data migration from legacy systems may cause data corruption, leading to production delays. The risk owner proposes conducting a full data reconciliation after migration. However, the IT director argues that this would be too time-consuming and suggests only sampling data for verification. The risk manager must decide on the risk response. The project timeline is tight, and the company has a low tolerance for data integrity issues. Which of the following is the BEST course of action?
13Order the steps for implementing a risk treatment plan.
14Sequence the steps for implementing a new control based on risk assessment findings.
15Put the steps for performing a control self-assessment (CSA) in order.
16Match each risk response strategy to its definition.
17Match each risk management term to its definition.
18Match each risk management process step to its activity.
19A company has identified a critical vulnerability in a legacy application that cannot be patched immediately. The application is used by a small number of users and supports a non-critical business process. Which of the following is the MOST appropriate risk response strategy?
20During a risk assessment, the risk owner identifies that the residual risk level is higher than the risk appetite. Which of the following actions should the risk owner take FIRST?
21An organization's security team recommends implementing a web application firewall (WAF) to protect against SQL injection attacks. The risk manager evaluates the cost of the WAF and the likelihood of a successful attack. This evaluation is BEST described as:
22A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?
23A risk assessment reveals that a data center is located in a flood-prone area. The organization decides to build a secondary data center in a different region and replicate critical data between both sites. This is an example of which risk response?
24After implementing a set of controls, the risk owner calculates the residual risk and finds it is still above the risk tolerance. However, the cost to further reduce the risk exceeds the potential loss. What is the MOST appropriate next step?
25An organization is considering outsourcing its IT support to a third-party provider. The risk manager has identified that the provider's data handling practices may not comply with regulatory requirements. Which of the following is the BEST risk response strategy?
26A bank implements a new transaction monitoring system to detect fraudulent activities. After six months, the system has a high false positive rate, causing analysts to miss real threats. Which of the following is the BEST way to address this risk?
27A multinational corporation is evaluating a new vendor for cloud services. The vendor's data centers are located in a country with weak data protection laws. The corporation's data includes personal information of EU citizens subject to GDPR. What is the MOST appropriate risk response?
28Which TWO of the following are examples of risk mitigation controls?
29Which THREE of the following are key considerations when selecting a risk response option?
30Which TWO of the following are valid reasons to accept a risk rather than mitigate it?
31Refer to the exhibit. Which of the following is the MOST critical risk that should be addressed first?
32Refer to the exhibit. An organization uses this firewall access list. What is the MOST significant risk associated with this configuration?
33Refer to the exhibit. Which type of attack is MOST likely indicated by these log entries?
34A security team identifies a critical vulnerability in a web application that cannot be patched immediately. They deploy a web application firewall (WAF) to block exploitation attempts. This is an example of:
35An organization purchases cyber insurance to cover potential losses from data breaches. This is an example of:
36After a risk assessment, a company decides to stop using a third-party service that has high residual risk. This is an example of:
37During a post-mortem of a security incident, the risk manager notes that the response team failed to execute the incident response plan correctly because the plan was outdated. Which of the following is the BEST corrective action?
38A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:
39An organization has a policy requiring all sensitive data to be encrypted at rest. During an audit, it is found that encryption keys are stored in plaintext on the same server. Which risk response is MOST appropriate?
40A company faces a risk of data loss due to untrained staff. They implement mandatory training and quarterly phishing simulations. This is:
41A risk assessment identifies that a legacy system has a high risk of failure with no available vendor support. The organization decides to decommission the system and migrate to a modern platform. This is:
42After implementing multiple controls, the residual risk for a new product launch is still slightly above the risk appetite. The risk manager decides to proceed with the launch and monitor the risks regularly. This is:
43Which TWO of the following are examples of risk transfer? (Select TWO.)
44Which TWO of the following are examples of risk avoidance? (Select TWO.)
45Which THREE of the following are examples of risk mitigation controls? (Select THREE.)
46Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?
47Based on the exhibit, which risk response should be prioritized?
48Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?
49A global company uses a critical third-party vendor for data processing. The inherent risk is high, but the vendor has implemented robust controls. However, due to recent geopolitical instability, the vendor's physical location is at risk. The risk owner recommends purchasing a business continuity insurance policy. Which risk response is being applied?
50A new privacy regulation requires that all personal data be encrypted at rest. The current systems lack encryption. The cost to implement encryption is moderate, and the risk of non-compliance is high. Which risk response is most appropriate?
51After implementing security controls, a risk assessment shows a residual risk of data exfiltration with a probability of 5% and potential loss of $10 million. The organization's risk appetite allows a maximum acceptable risk level of 3% probability for such impact. The cost of further mitigation is $1 million. What is the best risk response?
52An employee with access to sensitive financial data has been observed accessing systems outside of normal working hours and exhibiting erratic behavior. The IT risk manager suspects insider threat. What is the most appropriate risk response?
53A recent security assessment identified that a critical web application is vulnerable to SQL injection due to unpatched software. The vendor has released a security patch. Which risk response is most appropriate?
54An organization uses a legacy system that cannot be patched because the vendor is defunct. The system supports a core business function. The risk assessment shows a high likelihood of exploitation and high impact. The board has decided to keep the system operational due to its criticality. Which risk response should the risk manager recommend?
55A risk assessment reveals that the cost of implementing a control ($500k) exceeds the annualized loss expectancy (ALE) of $300k. The risk is currently within the organization's risk appetite. What is the appropriate risk response?
56For a risk with very low likelihood and low impact, what is the typical risk response?
57A third-party vendor's security assessment reveals multiple high-risk findings related to data handling. The vendor is unwilling to remediate, citing cost. The vendor contract includes a clause that requires adherence to security standards. The organization's risk appetite for third-party risk is low. What is the most appropriate risk response?
58A company has a critical production system with a known vulnerability. Due to the system's age, the vendor no longer supports it. The company decides to implement network segmentation and purchase cyber insurance to cover potential losses. Which TWO risk response options are they applying?
59An organization assesses a risk of intellectual property theft through email exfiltration. They decide to enforce DLP controls, purchase a cyber liability policy, and officially accept the residual risk after controls. Which THREE risk response options are demonstrated?
60A risk assessment identifies a high likelihood of a data breach due to insecure APIs. The risk team proposes disabling the APIs until they are secured, implementing a WAF, and purchasing breach insurance. Which THREE risk response options are being considered?
61Refer to the exhibit. Based on the risk register, which risk response is applied to the risk with the highest inherent risk?
62Refer to the exhibit. A risk manager reviews the vulnerability scan output. According to the policy, what is the required risk response?
63GlobalTech Inc., a multinational corporation, is planning to migrate its customer data to a new cloud platform. The migration involves transferring sensitive personally identifiable information (PII) from an on-premises database to a cloud-based CRM. The risk manager conducted a risk assessment and identified several risks, including unauthorized access during transit and residual data exposure due to misconfiguration. Mitigation controls include encryption in transit, encryption at rest, and strict access controls. The residual risk after mitigation is assessed as medium. The risk appetite statement defines that 'No data breach incidents resulting in regulatory fines exceeding $1 million are acceptable.' The estimated potential fine from a breach is $5 million with a likelihood of 2% after controls. The cost of additional controls to reduce likelihood to 0.5% is $500,000. The migrating team proposes to purchase cyber insurance with a $3 million coverage for $200,000 annual premium. The board of directors prefers to accept the residual risk to avoid additional costs. What should the risk manager do?
64Which THREE of the following are key components of an effective risk response plan?
65A small e-commerce company has identified a high-risk vulnerability in its payment processing system that could expose customer credit card data. The IT team recommends immediately patching the system, but the patch requires a 4-hour downtime during peak sales hours. The risk manager proposes accepting the risk until the next scheduled maintenance window in two weeks. The CEO is concerned about potential fines from PCI DSS non-compliance. What is the BEST course of action?
66A multinational corporation has adopted a risk mitigation strategy for its key suppliers by requiring them to maintain ISO 27001 certification. During an audit, the risk manager discovers that one critical supplier lost its certification six months ago but did not report it, as contractually required. The supplier still has adequate security controls in place, and the relationship is strategically important. The CEO wants to avoid contract termination. What is the MOST appropriate risk response?
67A financial institution is implementing a new online banking platform. The risk assessment identified that the platform will handle sensitive customer data and must comply with GDPR and local banking regulations. The project team proposes encrypting all data at rest and in transit, implementing multi-factor authentication (MFA), and conducting quarterly penetration tests. However, the risk owner is concerned about the residual risk of a sophisticated phishing attack that could bypass MFA. The board has a low risk appetite. What is the BEST way to address this residual risk?
68A healthcare organization is migrating its electronic health records (EHR) system to a cloud provider. The risk assessment shows that the cloud provider has strong security certifications (e.g., SOC 2 Type II, ISO 27001). However, the organization's legal team is concerned about data sovereignty laws that require patient data to remain within the country. The cloud provider's data centers are located in three regions: one in-country, and two outside. The project manager proposes using only the in-country data center. The IT director warns that this will increase latency and reduce redundancy. The risk manager must propose a response. Which is the BEST option?
69A risk practitioner is reviewing the organization's risk response strategies for a high-value asset. Which TWO of the following are examples of risk mitigation techniques? (Choose two.)
70Refer to the exhibit. Given the organization's risk appetite is Low, which risk response is most appropriate?
71A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options: A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications. Which course of action is most appropriate given the organization's risk appetite and the current situation?
The Risk Response and Mitigation domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.
The Courseiva CRISC question bank contains 71 questions in the Risk Response and Mitigation domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Risk Response and Mitigation domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included